github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

use privileged source object

Browse Source
This commit is contained in:
Paul Weil
2015-08-24 13:41:51 -04:00
parent 4c88aeeda2
commit 709e654686
5 changed files with 31 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
pkg/capabilities/capabilities.go
View File

@@ -25,13 +25,21 @@ import (
type Capabilities struct {
AllowPrivileged bool
// List of pod sources for which using host network is allowed.
HostNetworkSources []string
// Pod sources from which to allow privileged capabilities like host networking, sharing the host
// IPC namespace, and sharing the host PID namespace.
PrivilegedSources PrivilegedSources
// PerConnectionBandwidthLimitBytesPerSec limits the throughput of each connection (currently only used for proxy, exec, attach)
PerConnectionBandwidthLimitBytesPerSec int64
}
// PrivilegedSources defines the pod sources allowed to make privileged requests for certain types
// of capabilities like host networking, sharing the host IPC namespace, and sharing the host PID namespace.
type PrivilegedSources struct {
// List of pod sources for which using host network is allowed.
HostNetworkSources []string
}
// TODO: Clean these up into a singleton
var once sync.Once
var lock sync.Mutex
@@ -46,10 +54,10 @@ func Initialize(c Capabilities) {
}
// Setup the capability set. It wraps Initialize for improving usibility.
func Setup(allowPrivileged bool, hostNetworkSources []string, perConnectionBytesPerSec int64) {
func Setup(allowPrivileged bool, privilegedSources PrivilegedSources, perConnectionBytesPerSec int64) {
Initialize(Capabilities{
AllowPrivileged: allowPrivileged,
HostNetworkSources: hostNetworkSources,
PrivilegedSources: privilegedSources,
PerConnectionBandwidthLimitBytesPerSec: perConnectionBytesPerSec,
})
}
@@ -68,8 +76,10 @@ func Get() Capabilities {
// This check prevents clobbering of capabilities that might've been set via SetForTests
if capabilities == nil {
Initialize(Capabilities{
AllowPrivileged: false,
HostNetworkSources: []string{},
AllowPrivileged: false,
PrivilegedSources: PrivilegedSources{
HostNetworkSources: []string{},
},
})
}
return *capabilities